Enterprises utilize Mobile Device Management (MDM) services to configure mobile devices that are connected to company networks in order to enforce security standards and keep data secure. For this project we took 3 MDMs and assessed their functionalities for items of potential forensic importance. This blog focuses on Mobile Iron, a top tier MDM created by a company of the same name.
Some of the forensic benefits of Mobile Iron lie in the ability to learn basic information about connected devices. This includes the phone’s carrier, number, location and International Mobile Subscriber Identity (IMSI). The dashboard allows administrators to lock or unlock the phone, send a message to the user or force a “check in” of the device. The admin can also retire the device which removes the management’s features and documents related to the the app but leaves the rest of the device’s data alone. The Admin can also wipe the device, resetting it to factory defaults.
Forensic / Cybersecurity services
In Mobile Iron, administrators can configure a services that can be valuable to both a security official or a digital forensic investigator: VPNs, Wi-Fi, and custom configurations. These configurations are applied to the device Over-The-Air (OTA) and enforced immediately depending on how severe the change is.
Several VPN presets are configurable through the MDM: Regular VPN, VPN on Demand, Always on VPN, and Per App VPN. While each of these configurations will set up a VPN to route the device’s network traffic to, the On Demand, Always On and Per App VPN settings have specific triggers that cause the device to enable VPN redirection. The Always on VPN forces a VPN connection at all times without the device user starting it. The Per App VPN causes the connection to establish when the user launches any app that is designated during the configuration.
Wi-Fi connections can be configured where the device will try to connect to the network specified when creating the configuration.
Custom Configurations allow for someone to create a configuration and then send it through OTA to the phone to be enforced. This is really useful if you want to create some kind of configuration that can be used for forensic purposes or for cyber security Purposes.
Mobile Iron falls short in our initial research goal of assessing which MDM has the most potential to aid a digital forensic investigation. While the program is able to access certain data, none of it gives any particularly revealing information. However, Mobile Iron does have the capability to gather location data as well as push custom user policies or configurations.